PocketGuide Jun23
PocketGuide Jun23
PocketGuide Jun23
June 2023
The Pocket Guide
Glossary 3
Hardware Appliance Overview
➔ TMS-2300 6
➔ TMS-2600 & 2800 7
TMS ➔ TMS-5000 7
➔ TMS-8100 7
➔ HD-1000 8
Mitigation
TMS & APS/AED - FCAP Traffic Filtering 24
Personal Notes 37
SP-6000
1 DB-9 serial console port: 9600/8-N-1 5 Ethernet ports (eth1-eth3, top to bottom)
2 VGA connector 6 Ethernet ports (eth4-eth11)
3 Ethernet port (eth0) 7 AC power supply
4 4x USB ports (USB2.0)
SP-7000
SP-7500
K-09A0X - Insight
TMS-2300
1 DB-9 serial console port: 9600/8-N-1 5 Management Ethernet ports (mgt1-mgt3, top to bottom)
2 VGA connector 6 Ethernet ports (tmsx0 and tmsx1) - Mitigation only
3 Management Ethernet port (mgt0) 7 Ethernet ports (tmsx2 - tmsx5) - Mitigation only
4 4x USB ports (USB2.0) 8 AC power supply
TMS-5000
TMS-8100
HD-1000
1 RJ-45-serial console port - SM0: 9600/8-N-1 5 RJ-45-serial console port -SM1: 9600/8-N-1
2 4x 10GbE ports (tms0.0-tms0.3) SFP+ SR/LR 6 4x 10GbE ports (tms1.0-tms1.3) SFP+ SR/LR
3 4x 10GbE ports (tms0.4.0-tms0.4.3) QSFP+ SR/LR 7 4x 10GbE ports (tms1.4.0-tms1.4.3) QSFP+ SR/LR
with breakout cable with breakout cable
4 1x 1GbE Management Ethernet port (mgt0) 8 1x 1GbE Management Ethernet port (mgt1)
1 RJ-45-serial console port SM-320G-0: 9600/8-N-1 6 RJ-45-serial console port SM-320G-1: 9600/8-N-1
2 1x100 GbE port (tms0.0) QSFP28 (SR4 or LR4) 7 1x100 GbE port (tms1.0) QSFP28 (SR4 or LR4)
3 4x 10GbE ports (tms0.1.0-tms0.1.3) QSFP+ SR4/LR4 8 4x 10GbE ports (tms1.1.0-tms1.1.3) QSFP+
with breakout cable SR4/LR4 with breakout cable
4 1x100 GbE port (tms0.2) QSFP28 (SR4 or LR4) 9 1x100 GbE port (tms1.2) QSFP28 (SR4 or LR4)
5 1x 1GbE Management Ethernet port (mgt0) 10 1x 1GbE Management Ethernet port (mgt1)
DC Power Connection
Mixing PPM-20G and PPM-50G within the same chassis requires the
1500W power supplies and Sightline Release 9.0
Slot1: 10 GbE
One or
Slot2: Not used
two
10 GbE Slot6: 10 GbE
Slot7: Not used
Slot1: 40 GbE
One or
Slot2: Not used
two
40 GbE Slot6: 40 GbE
Slot7: Not used
One
40 GbE Slot1: 40 GbE
+ Slot2: 10 GbE
One ot Slot6: 10 GbE
two
Slot7: Not used
10 GbE
AED-8100
Front-Panel
1 Power button 8 Chassis ID button
2 System reset button 9 NIC1/NIC2 activity LED
3 Chassis information LED 10 HDD activity LED
4 Fan status LED 11 Power alarm LED
5 Critial alarm LED 12 Minor alarm LED
6 Major alarm LED 13 RJ-45 serial console: 115200/8-N-1
7 NMI Button
One
10 GbE Slot1: 1 GbE
+ Slot2: 1 GbE optional
one or Slot6: 10 GbE
two
Slot7: Not used
1 GbE
One
40 GbE Slot1: 10 GbE
+ Slot2: 10 GbE optional
one or Slot6: 40 GbE
two
Slot7: Not used
10 GbE
AED-HD1000
1 RJ-45-serial console port SM-320G-0: 9600/8-N-1 6 RJ-45-serial console port SM-320G-1: 9600/8-N-1
2 1x100 GbE port (ext0) QSFP28 7 1x100 GbE port (ext1) QSFP28
3 4x 10GbE ports (ext2/int2, ext3/int3) QSFP+ with 8 4x 10GbE ports (ext4/int4, ext5/int5) QSFP+ with
breakout cable breakout cable
4 1x100 GbE port (int0) QSFP28 9 1x100 GbE port (int1) QSFP28
5 1x 1GbE Management Ethernet port (mgt0) 10 1x 1GbE Management Ethernet port (mgt1)
TRA/DS
Leader
TMS
Global System
UI
/ help global or help or ? see available command sub options - ✓ ✓ ✓
/ users list all CLI connected users on appliance - ✓ ✓ ✓
/ clock show or set the system clock - ✓ ✓ ✓
/ config show show the running configuration - ✓ ✓ ✓
/ config write or revert save or revert current configuration - ✓ ✓ ✓
/ config clear clear config on TMS to restart ZTP process (≥ 8.2) - - - ✓
/ config rcs diff|history|show show configuration commit history (≤9.2) ✓ - - -
Remote Access
/ ip access show show active and inactive IP access rules - ✓ ✓ ✓
add IP access rule for remote access by protocol, ingress -
/ ip access add proto int source-ip interface and source IP address or range. ✓ ✓ ✓
proto: cloudsignaling, bgp, https, ssh, ping, snmp, ssh, ...
/ ip access delete proto int source-ip delete an IP access rule - ✓ ✓ ✓
/ ip access commit commit inactive IP access rules (+config write to persist reboot) - ✓ ✓ ✓
System Initialization
configure device as a leader
ip: own management IPv4
/ services sp bootstrap leader ip secret role ✓ - - -
secret: shared zone secret
role: PI, CP
configure device as a non-leader (≤ 9.0.2)
ip: IPv4 address of the leader
/ services sp bootstrap non-leader ip secret role - ✓ ✓ -
secret: shared zone secret
role: PI, BI or CP
configure device as a non-leader (≥ 9.0.2)
ip: IPv4 address of the leader
/ services sp bootstrap non-leader ip own-ip
own-ip: IPv4 address of this device - ✓ ✓ -
secret role
secret: shared zone secret
role: PI, BI, CP or AC* *(≥9.4.0.0)
configure TMS
/ services tms bootstrap ip secret ip: is the IPv4 address of the leader - - - ✓
secret: shared zone secret
IP + Interface Configuration and Verification
/ ip arp show show ARP entries (management interfaces only) - ✓ ✓ ✓
/ ip route show show IP routing configuration - ✓ ✓ ✓
/ ip interface show [brief] show network interface configuration - ✓ ✓ ✓
/ ip interface counter int [clear] show or clear interface counters - - - ✓
/ ip interfaces ring_rx_buf_size intf rx-buf-size set interface rx buffer size (≥ 9.0) - ✓ ✓ -
/ ip interfaces ifconfig int ip/M state set interface ip address/mask & interface state (≥ 9.2) - ✓ ✓ ✓
/ ip interfaces ifconfig int dhcp enable|disable enable/disable dhcp on management interface - ✓ ✓ ✓
/ ip interface show sfp show SFP details (≥ 9.4.0.0) - ✓ ✓ ✓
/ system hardware sfp show SFP details (< 9.4.0.0) - - - ✓
/ system hardware interface name pluggable- show SFP/SFP+ details (≥ 9.1 and < 9.4.0.0) -
- - ✓
module-info
/ system hardware interface name pause-frames show interface pause frames settings (≥ 9.1) - - - ✓
/ system hardware interface name dump-regs dump registers from interface hardware (≥ 9.1) - - - ✓
/ system hardware 10g-mgmt show/enable/dis. flip 10G interfaces from mitigation to management (≥9.3) - - - ✓
CLI System Configuration Commands
/ system banner set set banner on console and SSH connections - ✓ ✓ ✓
/ system name set hostname set device name - ✓ ✓ ✓
/ system idle set seconds set idle timeout for console and SSH connections - ✓ ✓ ✓
Filter Elements
[src|dst] (host|net) <address> matches a host as IP source, destination or either address
[src|dst] <address>/<mask> matches a host as IP source, destination or either address
(proto|protocol) <name> matches IP protocol by name
(proto|protocol) <number> matches IP protocol by number
(proto|protocol) <number>..<number> matches IP protocol by a range of numbers
[src|dst] port <name> matches TCP or UDP packets send to/from or either by name
[src|dst] port <number> matches TCP or UDP packets send to/from or either by number
[src|dst] port <number>..<number> matches TCP or UDP packets send to/from or either by range
(tflags|tcpflags) <tcp-flags> matches TCP packet on included TCP Flags
(bytes|bpp) <size> matches packet equal to length
(bytes|bpp) <size>..<size> matches packet within range of length
icmptype <icmptype> matches ICMP packets based on message type
icmpcode <number> matches ICMP packets based on message code
tos <value> matches IP packets based on Type of Service setting
ttl <value> matches IP packets based on their included TTL value
frag matches IP packets that are fragments
(not|!) (proto|port|bpp|icmp…) negate adjacent element. Not supported for IP addresses
[and|or] often used with brackets to nest individual expressions
All examples provided should first be tested in inactive mode, even if they are
normally used without further constraints. However, it is possible that your valid
traffic requires adjustments to prevent over blocking.
# drop your own prefixes if these are not expected to be seen coming via the internet
drop src net [your own prefix(es)]
# drop traffic normally not used via the internet, stop scanning…
drop proto tcp and dst port 23
drop proto tcp and dst port 445
# drop DNS queries, if there is no DNS service running on the protected host!
drop proto udp and dst port 53 !
# drop DNS replies, if there is no external DNS resolution done by the protected host!
drop proto udp and src port 53
!
Mitigate Fragmented Attack Traffic – Fragments reported as src and dst port 0
The TMS reassembles fragmented packets if they are complete sets before evaluating them against
active countermeasures. However, UDP amplification attacks causing congestion are likely to result
in complete sets. After reassembling a packet from a complete set of fragments, the TMS identifies
the source and destination ports and displays them in the sample packets window.
The Sample Packets Shown section shows actually a UDP packet with a size of 15000 bytes, which was
initially broken into 10 fragments (assuming a MTU of 1500 bytes). It also highlights that the packet
was actually forwarded.
The frag keyword match fragmented packets to be reassembled, with can be used in an FCAP
expression like the one below entered into the Black/White (Deny/Allow) Lists countermeasure.
If the mentioned FCAP filter is applied, we can now see that the previously forwarded traffic is now
dropped by the TMS.
Filter Elements
IP Filters ICMP Filters TCP Filters UDP Filters
ip icmp tcp udp
ip.hdr_len icmp.checksum tcp.option_kind udp.checksum
ip.len icmp.code tcp.checksum udp.dstport
ip.version icmp.type tcp.dstport udp.length
ip.addr + (IP or CIDR) tcp.flags udp.port
ip.dsfield tcp.flags.{ack|push|reset|syn|fin|cwr|ecn|ns|urg} udp.srcport
ip.dsfield.{dscp|ecn} tcp.hdr_len
ip.dst + (IP or CIDR) tcp.options.{sack_perm|mss_val}
ip.flags tcp.port
ip.flags.{df|rb} tcp.srcport
ip.proto tcp.window_size_value
ip.src + (IP or CIDR)
ip.ttl
Example
tcp.window_size_value > 10000 and TCP window size is greater than 10.000 and TCP selective
tcp.options.sack_perm && tcp.options.mss_val ge 1450 acknowledgement is enabled and TCP MSS value is greater
and not tcp.port & 1 than or equal to 1450 bytes and the TCP port (bitwise verified)
is not 1, aka is not ‘an uneven port number’.
Release ≥9.5.0.0
The syntax in the Packet Header Filtering countermeasure for the ip.flags field has changed. The new
syntax matches the syntax that Wireshark uses. Although the ip.flags field is a 3-bit field, Wireshark treats
it as a full byte. The Packet Header Filtering countermeasure previously treated ip.flags as a 3-bit field, but
now also treats it as a full byte.
TCP Header
UDP Header
ICMP Header
Sightline Mitigation
To filter using the destination prefix, type the destination CIDR block
to match. Only one CIDR block is allowed in this field.
To filter using the source prefix, type the source CIDR block to
match. Only one CIDR block is allowed in this field.
To filter using the source port, type the source port number or range
to match. Example: 32768-49151,49159-65535
To filter using the destination port, type the destination port number
or range to match. Example: 80
To filter using the ICMP type or code, type the ICMP type or code
values or ranges in the appropriate fields: Example: 3,16-255
To filter using TCP flags, type the TCP flag numbers to match. The
common flag numbers are 1=fin, 2=syn, 4=rst, 8=psh, 16=ack,
32=urg, 64=ece, and 128=cwr. Example: 18 (SYN/ACK)
The Sightline REST API output is in the JSON API format. The responses use return links to refer to
other resources and support pagination. When you make a request to the REST API, you can
specify which API version to use., to use the version 3 alerts endpoint:
https://sightline.example.com/api/sp/v3/alerts/
If a request contains no version information, it defaults to the latest version. In most cases, the
Sightline REST API keeps the full functionality of still-supported previous versions. However, there
could be a situation where an older endpoint provides only partial functionality or is removed
entirely. More information can be found in the Arbor Sightline and TMS API Guide for the used
software release.
Route
SAFI 133 SAFI 133 SAFI 134
IPv4 IPv6 VPNv4 IPv4 IPv6 IPv4 IPv6 IPv4 IPv6 VPNv4 VPNv6 IPv4 IPv6
TRA ✓ ✓ ✓ ✓ ✓ ✓ ✓* ✓ ✓ ✓ ✓ X X
TMS X X X ✓ ✓ X X X X X X ✓ ✓
Personal Notes:
Personal Notes:
Contacts
CORPORATE HEADQUARTER
NETSCOUT
310 Littleton Road
Westford, MA 01886-4105, USA
+1 978-614-4000 SCAN ME
+1 888-357-7667 (Toll-free)
[email protected]
www.NETSCOUT.com/arbor-ddos
Arbor Cloud
+1 844-END-DDoS| +1 734-794-5099
Portal: https://config.arborcloud.netscout.com/auth/login
mail: [email protected]
Stay up-to-date
3.2306.01